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This paper studies the security of a secure communication scheme based on two discrete-time 
intermittently-chaotic systems synchronized via a common random driving signal. Some security 
defects of the scheme are revealed: 1) the key space can be remarkably reduced; 2) the decryption 
is insensitive to the mismatch of the secret key; 3) the key-generation process is insecure against 
known/chosen-plaintext attacks. The first two defects mean that the scheme is not secure enough 
against brute-force attacks, and the third one means that an attacker can easily break the cryp- 
tosystem by approximately estimating the secret key once he has a chance to access a fragment 
of the generated keystream. Yet it remains to be clarified if intermittent chaos could be used for 
designing secure chaotic cryptosystems. 
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In [l^, a new method of generating pseudo- 
random keys from discrete-time chaotic systems 
using a noise signal was proposed for designing 
secure communication schemes. In this method, 
the noise signal serves as a common driving sig- 
nal to synchronize two dynamical systems and 
forces them to be intermittently chaotic, ensuring 
that they generate the same pseudo-random keys 
for both encryption and decryption. This paper 
studies the security of the above-referred secure 
communication scheme and points out its severe 
security defects, showing that the scheme is inse- 
cure against both inexpensive brute-force attacks 
and known/chosen-plaintext attacks. At present, 
it is not yet clear whether or not the existence of 
intermittent periodicity is always an essential de- 
fect of this kind of secure chaotic cryptosystems. 



I. INTRODUCTION 

The idea of using chaos to design analog secure com- 
munication systems and digital ciphers has provoked 
a great deal of research efforts since the early 1990s 
QiMQ' Meanwhile, security analysis of various proposed 
chaotic cryptosystems also attracts increasing attention, 
and some chaotic cryptoswtems have been found insecure 
64 8, MOaia dJl^^ 20, 21, 

IlllMQTSlMMlllllllsO^^ 35, 36]. 

Most analog chaos-based secure communication systems 
are based on chaos synchronization technique j37j , where 
the receiver (response or slave) chaotic system synchro- 
nizes with the transmitter (drive or master) system via 
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a signal transmitted over a public channel. After the 
chaos synchronization is achieved, the plain-signal can 
be recovered in different ways corresponding to different 
structures of the encryption algorithms. According to 
the method used for encrypting the plain-signal, there 
are four common types of chaos synchronization-based 
encryption structures 0, 0, 113 : chaotic masking, chaotic 
switching (or chaotic shift keying - CSK), chaotic mod- 
ulation and inverse system approach. Since many early 
chaos-based secure communication systems are found in- 
secure against various attacking methods, some counter- 
measures have been proposed in the hope of enhancing 
the security: 1) using more complex dynamical systems, 
such as hyperchaotic systems or multiple cascaded het- 
erogeneous chaotic systems [s^; 2) adding traditional ci- 
phers into the whole cryptosystem 3) introducing a 
discrete-time impulsive signal instead of a continuous sig- 
nal to realize synchronization 0, l4l| . The first counter- 
measure has been found not secure enough against some 
attacks 0, 0, 12J |2^ , and some security defects of the 
second have also been reported , but the last one has 
not yet been broken to date. 

In ^ ^ ^'^^ "^^y to enhance the security of 

chaos-based secure communications, a new synchroniza- 
tion method was proposed for multiple discrete-time dy- 
namical systems driven by a common random signal. Dy- 
namical systems synchronized in this way work in inter- 
mittent chaotic states, i.e., alternatively switching be- 
tween chaotic and periodic regimes. In [l|, this new syn- 
chronization method was used to construct a new secure 
communication scheme, in which the two synchronized 
intermittently-chaotic systems generate the same pseudo- 
random keystream. The pseudo-random keystream is 
then used for encrypting the plaintext at the transmitter 
end, and for decrypting the ciphertext at the receiver, via 
a piecewise linear encryption/decryption function origi- 
nally used in |40l | . The core of this secure communication 
scheme is the key-generation process based on the two 
discrete-time intermittently-chaotic systems. In it 
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was claimed that the key-generation process is very sen- 
sitive to the mismatch of the secret key so it is very secure 
against attacks. To the best of our knowledge, this secure 
communication scheme is the first and the only one based 
on intermittent chaos, and it has not been cryptanalyzed 
before. 

This paper analyzes the security of the above-referred 
secure communication scheme, and reveals some of its 
security defects: 1) some secret parameters (i.e., sub- 
keys) can be eliminated or directly estimated from the 
ciphertext, so that the available key-space is drasti- 
cally reduced; 2) the decryption is largely insensitive 
to the mismatch of the secret key; 3) the chaos-based 
key- generation process is insecure against known/chosen- 
plaintext attacks. The first two defects mean that 
this communication scheme is not secure enough against 
brute-force attacks, and the third defect means that an 
attacker can easily break the cryptosystem by approxi- 
mately estimating the secret key once he has a chance 
to get access to a fragment of the generated keystream. 
It is not clear, at this stage, whether or not intermittent 
chaos is always unsuitable for designing secure chaotic 
cryptosystems. 

The rest of this paper is organized as follows. In the 
next section, a brief introduction to the secure commu- 
nication scheme under study is given. In Sec. IIIII crypt- 
analysis is shown in detail along with experimental veri- 
fication. The last section concludes the paper. 

II. THE SECURE COMMUNICATION SCHEME 

The secure communication system proposed in Q is 
described as follows. 

The transmitter system is 

= tanh(/i(azj"'"^ + Ut)) — tanh(/i6zf "'"^), (1) 

and the receiver system is 

Zj+i = tanh(^(azp^ + ut)) — tanh(^6zj^^), (2) 

where /x, a, b are positive parameters. The synchroniza- 
tion between these two discrete-time dynamical systems 
is realized via a common driving signal, 

Ut = 0(rt) = 0(rt +fit) ^ \ ^' ^ I' (3) 

\^B, rt> 9, 

where rt is a random telegraph signal (RTS) given by 

{a, with probability p, 
(4) 
/3, with probability 1 — p, 

and /it is noise introduced by the channel during the 
transmission of r* (note that fit may be different at 
the sender and the receiver ends). To facilitate the fol- 
lowing descriptions, without loss of generality, assume 



< a < (3 and < A < B. Then, a typical value of 
6* is (a -I- /3)/2, which is the middle value of the interval 

In the above secure communication scheme, the RTS 
signal rt randomly switches the dynamics of the two 
discrete-time maps ^ and (|2l by changing the value 
of one control parameter, Uf. According to P, Sec. II], 
when /i, a and b are set to make the two maps chaotic 
for Ut ~ 0, increasing ut will cause the maps to go into 
the periodic regime. Thus, by choosing the values of A 
and B properly, the two synchronized systems can be 
configured to work in the chaotic regime for ut = A and 
in the periodic regime for ut = B, respectively. That 
is, the two maps are not fully chaotic, but intermittently 
chaotic, under the control of the random signal ut- In 
this case, the two systems can reach synchronization af- 
ter a limited number of iterations if p is not too large 
|42l |. According to our experiments, p < 0.8 is required 
when ^ = 5,a ^ l,b = 1,A = a ^ 0.02, B = /? = 0.2 
(the default values used in 0). 

The encryption procedure is composed of two processes: 
the key-generation process and the encryption process. 
Similarly, the decryption procedure is composed of the 
key-generation process and the decryption process. Both 
procedures can be described as follows. 

• The key-generation process: the transmitter 
and the receiver generate two pseudo-random 

keystreams, {K} = Zj"'^''} and {Kf — zp''}, respec- 
tively. 

• Assuming the plain-signal is mt and the transmit- 
ted cipher-signal is St, the encryption procedure is 
St = (mtjKf), where ^(a;,j/) is a piecewise lin- 
ear encryption function originally used in |40| : 

{(.T + y) + 2w, —3w < X + y < —w, 
(x + y), ~w < X + y <w, (5) 

{x + y) — 2w, w < X + y < 3w. 

As mentioned in Q|, \E'"(a;,y) can be replaced by 
other encryption functions. 

• Assuming the received cipher-signal is St = St + St, 
where 6t is the noise introduced in the transmission 
channel, and the recovered plain-signal is rht, the 
decryption procedure is rht = V?" (st, —Kf^. 

The secret key of the key-generation process is 
{/i, a, 6, A, B, 9} and the secret key of the encryption func- 
tion (O is {ri, w}. 

An enhanced key-generation process was also proposed 
to improve the security of the generated key-stream: use 



Note that Eq. (9) in Q, 6* = a + (a -|- /3)/2, is wrong, since a -|- 
{a -\- fS) /2 > f3 when a < 13 < 2a. In fact, under the assumption 
that noise fit has zero-mean and symmetric distribution [y, the 
best value of 9 should naturally be the middle value of [a, (3]. 
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k {k > 1) difFcrcnt systems instead of a single one at both 
ends, and take the maximal value of the outputs of all k 
systems at each time instant to determine and K^. 



III. CRYPTANALYSIS 

Before starting to analyze the security of the above- 
referred secure communication scheme, some security 
guidelines are reviewed. Following the well-known Kerck- 
hoffs' principle in cryptology the security of a cryp- 
tosystem should rely on the secret key only, which means 
that an attacker knows all details about the cryptosys- 
tem except for the secret key. For this secure communi- 
cation scheme to be analyzed, the following assumptions 
are made: 

• the attacker does not know the secret keys 
{/U, a, 6, A, B, 6} and {n, w}. 

• the attacker exactly knows Eqs. to (IS)); 

• the attacker has full control on the channel over 
which the cipher-signals St , St and the common 
driving signals rt,f( are transmitted, where "full 
control" means that the attacker not only can pas- 
sively observe the transmitted signals but also can 
actively change the transmitted signals st and rt- 

Actually, in some special scenarios, it is possible for an 
attacker to get some useful information or even inten- 
tionally choose some information from the transmitter 
and/or the receiver. As a result, from the cryptograph- 
ical point of view, to provide a high level of security, 
a cryptosystem should be secure enough against all the 
following four attacks (listed from the hardest to the eas- 
iest): 

• the ciphertext-only attack - the attacker can only 
get ciphertexts and other publicly-transmitted in- 
formation (such as the common driving signal in 
the scheme under discussion); 

• the known-plaintext attack - in addition to some 
basic information, the attacker can get some plain- 
texts and the corresponding ciphertexts; 

• the chosen-plaintext attack - in addition to some 
basic information, the attacker can choose some 
plaintexts and get the corresponding ciphertexts; 

• the chosen-ciphertext attack - in addition to some 
basic information, the attacker can choose some ci- 
phertexts and get the corresponding plaintexts. 

The last two attacks, which seem to seldom occur in 
practice, are feasible in some real applications Sec. 
1.1] and has become much more common in today's net- 
worked world. In the following, it will be pointed out 
that the secure communication system under study is 
not secure enough against the first three attacks. 



This paper imposes a simple assumption, /it = and 
St = 0, to make the discussion of cryptanalysis easier. 
Note that removing the two noise signals has no in- 
fluence on the security analysis of the studied scheme. 
Also, fit and St can be directly removed in some applica- 
tions, for example, when the whole system is constructed 
digitally in computers and the transmission channels 
are digital storage media (such as floppy disks, hard 
disks, CDs, flash-memory disks, etc.) or networks com- 
pletely digitized with some error-correction mechanisms. 
In addition, one generally simulates secure communica- 
tion schemes via some mathematical softwares, such as 
Matlab®, where no channel errors occur. 



A. Reduction of the key space 

The simplest attack to a cryptosystem is known as the 
brute-force attack consisting of exhaustively searching all 
possible keys. The complexity of such a simple attack is 
determined by the size of the key space, i.e., the number 
of all valid keys. From the cryptographical point of view, 
the size of the key space should not be smaller than 2^°" 
to provide a high level of security jZ^I • In this section, it 
is to point out that the studied communication system is 
not secure enough since its key space is not sufficiently 
large, which is caused by the key space reduction and low 
sensitivity of decryption to the secret key. 

The secret key of the key-generation process 
{fi, a, 6, A, B, 9} can be immediately reduced to {a^ = 
fj-a.b^ = nb,Af^ = fiA,B^ = fiB,9} by rewriting the 
chaotic equation as follows: 



Zt+i = tanh (a,,zt -I- u^,t) - tanh {b^,Zt) , 



where 



tJ'(f>{ft) 



fiA = A^, 
fiB = B^, 



n < 
ft > 



(6) 



(7) 



In addition, as stated in this secure communication 
scheme is not sensitive to 6. Actually, 9 depends only 
on the distribution of the noise signal fit and under most 
conditions 9 ^ [a + /3)/2 can work well. Therefore, from 
the cryptographical point of view, 9 should not be in- 
cluded in the secret key. Thus, the secret key of the 
key-generation process is reduced to {a^, 6^, Af^, i?^}. 

The secret key of the encryption function Q was 
claimed to be {n, w} in Since the range of the cipher- 
signal St is [—w,w], one can set w be the maximum of 
St I in a long period of time. This means that w can 
be removed and the secret key is further reduced to {n} 
only. 

In the following, only {a^, 6^;, A^, i?^, n} will be used 
as the secret parameters of the secure communication 
scheme for further analysis. 
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B. The "plausible" sensitivity of the decryption 
error to parameter mismatch 

In 0, some experiments were reported to show that 
the secure communication scheme is very sensitive to 
parameter mismatch: even a small difference of order 
10~® in fi, a or P will cause a relatively large decryp- 
tion error (see Fig. 6 of Assuming such a sen- 
sitivity holds equally for all the four secret parameters 
{a^,bf^, A^, B^}, one can see that the size of the key 
space of the key-generation process will not be less than 
(10®)^ = 10'^^ ~ 2^°^, which is cryptographically large. 
However, our numerical study shows that the data given 
in Fig. 6 of are wrong, so they reached a false conclu- 
sion on the sensitivity to the secret key in decryption. In 
fact, we found that the sensitivity is mainly dependent 
on the values of p and n, and that this sensitivity is too 
weak to provide a high level of security when n is not too 
large {n has to be as large as 2'^^ as discussed below). 

At first, let us revisit the case experimentally studied 
in Sec. III-C of where the key^ is {a^ = 25,6^ = 

5, Afj_ = 0.05, -Bp = 1,71 = 71}, w = 1, and the plain- 
signal is rrit = 0.8 sin(27rt/4). In Q, it was not explicitly 
mentioned what the sampling frequency is. Here, we as- 
sume that the plain-signal is sampled at a frequency of 
100 Hz. When the decryption key is {a'^ = ap(l+(5), 6^ = 
6^(1 + S),A'^ = A^{1 + S),B'^ = B^{1 + 6)}, where 
S = 0.001 is the relative parameter mismatch^, the de- 
crypted plain-signal rht and its spectrum are shown in 
Fig. n] (for comparison, the waveform and spectrum of 
mt are also plotted). One can see that the plain-signal 
is decrypted with only a little intermittent noise, which 
means that the sensitivity of the encryption scheme to 
the parameter mismatch is very weak. Further exper- 
iments show that with a larger 6 it is still possible to 
approximately recover the plain-signal rrit, at least in 
the frequency domain (sec Fig. |21 for the decryption 
plain-signal rht when i5 = 1). What does 6=1 mean? 
It means that even a secret key satisfying a'^ = 2a ^, 
b'^ = 26p, A'^ = 2Af^ and B'^ = 25^ can be used to ap- 
proximately recover the sinusoidal signal. To observe the 
relationship between the recovery errors and the value of 

6, defining the decryption error ratio (in power energy) 
as DER = (X^tC"^* ~ "it)^) /X^t"^*' 1''' different values 
of 6 have been tested and one experimental result* is 
shown in Fig.|3| The results imply that any key satisfying 

<a'^< 2a^, bj2 < b'^ < 2b^, A^/2 < A'^ < 2A^ 
and Bf^/2 < B'^ < 25^ can be used to approximately re- 
cover the sinusoidal signal. Roughly speaking, the closer 
the key to the real key, the smaller the recovery errors 



^ Note that the value of b shown in the caption of Fig. 5 of 
should be 1.0, not 5.0. In fact, the default secret parameters 
used in are always /i = 5, a = 5,b = 1 (5/5/1-oscillator). 

^ Since Afj, may be very small in practice, the relative mismatch is 
more suitable for analysis than its absolute counterpart. 

^ All experiments show similar results, so only one is plotted here. 



will incline to be. Clearly, this will cause fatal collapse 
of the key space and so dramatically reduce the security 
of the scheme. Thus, one question arises: how can one 
explain such an undesirable insensitivity? 
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FIG. 1: The waveforms of the original plain-signal mt = 
0.8 sin(27rt/4) and the decrypted signal mt, and their relative 
power spectra, when S = 0.001, p = 0.3 and n = 71. 



i 




ii 


1 


Ii 




2 


4 


6 


8 10 12 

time (sec) 


14 


16 


18 20 



































0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 

frequency (Hz) 



FIG. 2: The decrypted plain-signal rht and its relative power 
spectrum, when mt = 0.8 sin(27rt/4), S = 1, p = 0.3 and 
n = 71. 

In our opinion, the reason behind this interesting phe- 
nomenon should be attributed to the fact that the in- 
volved dynamical systems show chaotic behaviors with 
a probability less than p When p < 0.5, the peri- 

odic behavior will dominate the evolution of Kt, therefore 
Kf will not be so sensitive to parameter mismatch in an 
average sense, as expected in a fully chaotic regime. Ob- 
serving the difference between Kf and , shown in Fig. 
21 the above explanation can be understood conceptually. 

Next, let us find out how the sensitivity changes as p 
increases. Following the above qualitative explanation on 
the low sensitivity of the decryption error for p = 0.3, it 
can be expected that the chaotic behavior occurs more 
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not the above claim is right for all cryptosystems based 
on intermittently chaotic systems. 
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FIG. 5: The decrypted plain-signal rht and its relative power 
spectrum, when mt — 0.8 sin(27rt/4), S = 0.001, p — 0.7 and 
n = 71. 



FIG. 3: The experimental relationship between DER and the 
value of 5, when p — 0.3 and n = 71. 
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FIG. 4: The two difference signals, Kf — K] (top) and 
*"(0,is:?) - ^''[Q,Kl) (bottom), when 5 = 0.001, p = 0.3 
and n = 71. 



and more frequently as p increases, so that the decryption 
error will become more and more sensitive to parameter 
mismatch. Taking p = 0.7 as an example, experiments 
show that the decryption error when 5 = 0.001 is similar 
to the case when p — Q.i and i5 = 1 (see Figs. OandlHlfor 
the experimental results and compare them with Figs. ^ 
and 01 . Further experiments have been carried out to 
check on some other values of p, and the results are sum- 
marized in Table Note that the synchronization will 
become too slow or even impossible when p > 0.8 [i^ . 
From the data listed in Table HI it is clear that even for 
the maximal value of p, i.e., p = 0.8, the sensitivity of 
the decryption error to parameter mismatch is not suf- 
ficiently high. To avoid such an insensitivity. one has 
to ensure the dynamical system evolves in the chaotic 
regime in all time, i.e., to set p = 1. However, in this 
case the synchronization will become absolutely impos- 
sible 0|- This seems to imply that the proposed se- 
cure communication scheme based on intermittent chaos 
is always insecure from the cryptographical point of view 
[isj . Yet, it remains to theoretically clarify whether or 




FIG. 6: The two difference signals, Ki — Kl (top) and 
*"(0,ift^) - <i'"{Q,Kl) (bottom), when 5 = 0.001, p = 0.7 
and n = 71. 



TABLE I: The largest insensitive parameter mismatch 5n 
with respect to p. 
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Another fact one can find from Figs.2]and|51is that the 
difference between and is significantly magnified 
by the encryption function |SJ). By rewriting the n-fold 
encryption function as ^'"(x, y) ~ '^'{x + ny), where 



{{x + w) mod 2w) — w, 



{{x/w) mod 4) ^ 3, 
i{x/w) mod 4) = 3, 



one can easily find that such a magnification is mainly 
determined by the multiplication factor n: the larger the 
n is, the larger the magnification will be. This suggests 
that the sensitivity of Kt is improved by using a larger 
value of n. However, n has to be very large to increase 
the sensitivity to an acceptable level of security since the 
magnification spreading rate here is linear. For example, 
when p = 0.3, to make the actual sensitivity be in the 
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order of 10~®, as reported in 0, n > 2'^^ is required. 
Figs. [3 and IHl show the decryption results when n = 2'^^ 
and n = 2^^, respectively. The sinusoid signal nit can 
still be distinguished when n = 2^^ whereas the spectral 
peak of rrit at 0.25 Hz is suppressed when n = 2^^ (but 
the signal is still partially visible). This result actually 
implies: 

• The decryption is largely insensitive not only to the 
mismatch of the secret key of the key-generation 
process, but also to the secret key of the encryption 
function lO, so brute- force attacks to the whole 
chaotic cryptosystcm are quite easy. 

• The security of the studied communication scheme 
is ensured by the encryption function \E'"(x,?/), not 
by the chaos-based key-generation process. In other 
words, if the key-generation process is directly used 
as a keystream generator to encrypt the plain- 
signal, the cryptosystem will be rather weak. This 
means that the chaos-based key-generation process 
is irrelevant to the security of the studied secure 
communication scheme. 
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FIG. 7: The decrypted plain-signal rht and its relative power 
spectrum, when mt — 0.8 sin(27rt/4), 5 = 10"*, p — 0.3 and 
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FIG. 8: The decrypted plain-signal rht and its relative power 
spectrum, when mt = 0.8 sin(27rt/4), 5 = 10~*, p = 0.3 and 



Finally, it should be mentioned that the experimental 
data given in P] are actually wrong. When p = 0.3, n = 
71, our experiments show that the power energy of the 



decryption error is much smaller than the one shown in 
Fig. 6 of 0. For example, when S = 0.001, the power 
energy is only 0.093086. It is found that the data for 
p = 1 — 0.3 = 0.7 agree with Fig. 6 of P|. We guess that 
the authors of mistook the value of p. 



C. Breaking the key-generation process by 
known/chosen-plaintext attacks 

In a known/chosen-plaintext attack, the attacker can 
get the plain-signal mt, so it is possible to find an ap- 
proximate key {a^, 5^, A^, B^} by searching the whole 
key space. Here, we assume that the value of n is known. 
As discussed above, the decryption error is not sensi- 
tive to the mismatch of {a^, 6^, A^, B^}, so the searching 
complexity will be small practically. Assuming that the 
range of the four secret parameters are S [12, 50], 6^ S 
[2.5, 9.5], e [0.02, 0.1], G [0.5,2], respectively, the 
searching steps are chosen as 6a^ = = 1 , ^a^ = 
0.01, (5b = 0.1, respectively^. Note that the range and 
the searching step of 6^ are intentionally chosen to make 
sure that the real value b^ = 5 cannot be visited in the 
current searching precision, which is common in real at- 
tacks since the real values of the secret parameters are all 
unknown. In this case, the number of all searched keys is 
44928 ~ 2^^-^, which is very small even for a PC. For each 
guessed key, the decryption error ratio in power energy 
(DER, see the previous subsection) is calculated. Using 
Matlab® 6.1, about 4.37 hours is consumed on a PC with 
a 1.8GHz Pentium® 4 CPU and 256MB memory to test 
all 44,928 keys. The minimal DER occurs when the key 
is {a^ = 27,6^ = 5.5,1^ = 0.06, i?^ 1}. The DER 
with respect to {a^, b^} and {A^, i?^} are shown in Figs. 
1^ and [TUl respectively, from which one can see that the 
minimum is sufficiently distinguishable from other val- 
ues in the current searching precision. Compared with 
the real key {a^ = 25, b^ = 5, = 0.05, = 1}, such 
a key is good enough to get an acceptable decryption per- 
formance (see Fig. Illf) . Of course, by doing more rounds 
of searching in smaller ranges with smaller steps, it is 
easy to get a more accurate estimation of the secret key. 
Moreover, since the DER function can be continuous, it 
may be possible to use some local minimization scheme 
to hasten the search further. 

In the following, we revisit the security problem stud- 
ied in Sec. III.C of 0: "/low secure is the key generator 
if the intruder has access to a key fragment, Kt, and the 
corresponding synchronizing signal, i?t, ti < t < i2 ?" 
When the n-fold encryption function '^^{x, y) is replaced 
by another encryption function that is invertible with 
respect to Kt, such as the XOR operation widely used 



^ In 0, these ranges are not explicitly given, so we just choose 
typical ranges that can ensure the intermittent chaoticity of the 
sender and receiver maps. 
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FIG. 11: The decrypted plain-signal rht and its relative power 
spectrum with the estimated parameters {2^ — 27, 6,^ — 
5.5, — 0.06, — 1} in a real attack, when rrit — 
0.8sin(27rt/4), 5 = 10~^ p = 0.3 and n = 71. 



in cryptography the above attacking scenario will 
be possible in known/chosen-plaintext attacks. In this 
case, it is obvious that one can immediately construct 
a return map by plotting the relationship between Kt+i 
and Kt. When fj. = 5,a = 5,b = 1,A = 0.01,5 = 0.2 
and p = 0.3 (the default parameters used in and also 
used in the above sensitivity analysis), a return map con- 
structed from 9,000 samples of Kt is shown in Fig. 112b . 
It is clear that the two branches correspond to the fol- 
lowing two maps: 

Kt+i = tanh(a^ii:t + A^)-tanh(6^ift), (8) 
Kt+i = tanh(a^ift + B^) -tanh(6^/i:t), (9) 

respectively. In fact, with less samples it is still possible 
to distinguish the two branches if they are not very close. 
Two return maps constructed from 1,000 and 200 samples 
of Kt are shown in Figs. andlT^. respectively. Once 
the two branches arc distinguished, one can choose three 
points on each branch to try to numerically solve the 
three secret parameters in the corresponding equation. 

In it was claimed that numerical solutions of Eqs. 
(jHl and jnj cannot work well due to the high sensitivity of 
the decryption error to the parameters mismatch. Unfor- 
tunately, as pointed out above in this paper, the decryp- 
tion error is actually not sufficiently sensitive to the pa- 
rameter mismatch. As a result, rough estimations of the 
secret parameters can work well to generate a keystream 
Kt « Kt for most samples. One can directly get estima- 
tions of all the four secret parameters with the following 
simple method discussed in Q: 

• and S^: the y- intercepts of the two branches are 
= tanh(A^) and Kg = tanh(S^), respectively, 

so Af, = tanh"^(is:^) and Bf, = tanh"^(i4:^); 

• 6^: since > 26^ P, Sec. II], the tails of 
both branches will approach f{x) = 1 — tanh(6^j:) 
quickly as x increases (see Fig. IT^). thus 6^ can 
be approximately derived from a point {Kt,Kt+i) 
lying in the tail: 6^ « tanh"^(l — Kt+i)/Kt, 

• a^: once is approximately known, it is easy 
to derive from a point {Kt,Kt+i) lying in 
the A-branch, as follows: « (tanh~^(/irt-|_i + 
tanh(5^i^t)) - ^^)/A't, or a point {Kt,Kt+i) ly- 
ing in the i?-branch: « (tanh~^(A'(_|_i + 
tanhib^Kt)) - B^)/Kt. 

Note that 6^, A^ and depend only on the sampling 
points in the return map, and that depends on the 
estimation of 6^ and B^ . This means that the error prop- 
agation only occurs for a^. Since is relatively larger 
than the other three parameters, it is less sensitive to 
the estimation errors. Based on the only 200 samples 
shown in Fig. 112b . the secret parameters are estimated 
as follows: 

• K\ « 0.05 ^ A^ = tanh^^X^) « 
0.05004172927849, and the relative estimation er- 
ror is 5a, = - A^\/A^ « 8.346 x lO'^; 
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FIG. 12: The return maps plotted with a variable number of known samples of Kt: (a) 9,000 samples; (b) 1,000 samples; (c) 
200 samples. 



• K% w 0.7618 ^ Bf, = tanh-\K°^) « 
1.00049031787725, and the relative estimation er- 
ror is Sb^ = \Bf, - B^,\/B^, w 4.903 x 10"^; 

• the point (/^s ~ ^0.7624, A'4 ~ 9.766 x 10""^) 
is used to derive w tanh^^(l — K^jKj, « 
5.00000000000003, and the relative estimation er- 
ror is (5b^ = - 6^1/6^ w 3 X lO^i''; 

• the point (i^M w 9.368 x 10"^, ^15 w 0.0686) lying 
in A-branch is used to derive ~ (tanh~^(A"i5 + 
tanh(fe^A'i4)) - A^,)|Kl^ w 24.9554555, and the 
relative estimation error is (5a = lo/i ~ O/il/fl/j ~ 
1.782 X 10-3. 

Recalling the weak sensitivity of the decryption error to 
parameter mismatch when p = 0.3, it can be expected 
that the above estimation will achieve a rather good de- 
cryption performance. Figure lTSl gives the decryption re- 
sult when TTit = 0.8 sin(27rt/4). We have also tested the 
decryption performance when nit is a music file (a PCM- 
encoded 16-bit wav file with the sampling frequency of 
44kHz), where the decrypted plain-signal rht is further 
enhanced with a low-pass filter. Figure El shows the 
decryption result, from which one can see that the plain- 
music is almost perfectly reconstructed. 

Note that only tens of samples may already be enough 
for estimating the four parameters. When the number 
of samples is too small, the two branches will not be 
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FIG. 13: The decrypted signal rht and its relative power 
spectrum with the estimated parameters, when rrit = 
0.8sin(27ri/4), p = 0.3 and n = 71. 



clear. Fortunately, one can still tell on which branch some 
points {Kt,Kt^i) lie if Kf < 0.1 since in most cases the 
two branches separated are sufficiently apart for Kt G 
[0,0.1]. 

Recalling the data shown in Tabled the precision of 
the above estimation is good enough for all values of p. 
Actually, even when the estimated parameters are not 
accurate enough to get an acceptable decryption per- 
formance, the attacker can still employ a more sophis- 
ticated algorithm to numerically derive the parameters 
with a higher precision. In this case, the estimated 
values can serve as good initial conditions for the em- 
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FIG. 14: The decrypted result with the estimated parameters, 
when mt is a music file, p — 0.3 and n = 71 (from top to 
bottom: the waveforms of mt, rht and the filtered rht, and 
the relative power spectra of the three signals). 



ployed numerical solving algorithm. This implies that 
the breaking of the secret parameters from a fragment 
of Kt is always possible, independent of the sensitiv- 
ity of Kt to the parameter mismatch. In other words, 
the key- generation process is always insecure against 
known/ chosen-plaintext attacks. One can see that this 
result agrees with the similar result obtained in the last 
subsection - the security of the studied secure commu- 
nication scheme is ensured by the encryption function 
^'"(a;,?/) (not by the chaos-based key- generation process). 
Once again, it discourages the use of intermittent chaos 
in cryptography. 



D. The security of the enhanced key-generation 
process against known/chosen-plaintext attacks 

In this subsection, we consider the security of the en- 
hanced key-generation process proposed in 0] against 
known/chosen-plaintext attacks. Assume m (m > 1) 
different dynamical systems are used to generate the 



keystream Kt. Kt = max 



k=l 



tanh [a^z^ 



where 



tanh (b 



Apparently, in the enhanced key-generation process, the 
number of secret parameters will increase to be 4to and 
the return map will be distorted to some extent. Un- 
fortunately, it is found that such an enhancement is 
not as secure as expected against return-map-based at- 
tacks. As an example, let to = 4 and the parameters be 
{al,al,a%al} = {7.5,22.5,25,27.5}, {bl,b%b%bl} = 
{2.5,4.5,5,5.5}, A]^ = = Al = ^ 0.01 and 
B], ^ B'l = Bl = = Q.2. The return map from 
10,000 samples is plotted in Fig. 115k .. Compared with 
Fig. 112b . although one cannot find the shape of all 
the 8 branches corresponding to 8 different equations, 
two of them can still be clearly seen, as shown by dot- 
dashed lines (which are local edges of the return map). 
Two exposed branches belong to the first dynamical 
sub-system: zt+i = tanh(a^2:4 -I- A^^) — tanh(6j'^zt) and 
zt+i = tanh(a^zt -I- B^) — tanh(6^2:t). Using the method 
discussed above, one can easily get an estimation of the 4 
secret parameters {a^, 6^, A^, B^}. This method can be 
further generalized to break even more parameters: the 
several dots marked by the arrow actually expose another 
branch, zt+i = tanh(a^zt -I- A^) — tanh(6^0t), which be- 
longs to the second sub-system and is shown by a dotted 
line in Fig. 115b .. Since no point is available near the y- 
intercept of this branch, the simple estimation method 
is disabled, but numerical algorithms can still be used to 
get the values of {a^, 6^, ^^} by using only three different 
points. Now, about half of the secret parameters are bro- 
ken with the return-map-based cryptanalysis. Although 
it seems very difficult to break other secret parameters 
in a similar way, the breaking of partial parameters still 
reduces the security of the enhanced key-generation pro- 
cess quite significantly. 

To frustrate the above partial attack, one may change 
Kt = max^j^ (^Zt^ to other functions. In Fig. 115b . the 
return map corresponding to the mean function Kt = 
[z] + z"^ + 2^-1- Zt)/A is shown. It can be seen that the 
return map is further distorted and the edges become 
much more ambiguous. However, there are still some 
visible curves (marked with arrows) hidden in the noise- 
like return map. It is not clear whether or not these 
visible curves can be used to break some secret parame- 
ters. From a conservative point of view, the risk always 
exists, so a good mixing function has to be found to re- 
move any visible information in the Kt — Kt+i return 
map. We have tested many simple functions and their 
combinations, and found that it really is a difficult task. 
Considering the non-uniform distribution of Kt over the 
defining interval (see Fig. 3 of guessed that 

only iterative chaotic maps with a good mixing property 
|45j can smooth the distribution of Kt and then effec- 
tively remove the visible curves. In Fig. 115b . the 24- 
fold skew-tent map is used to generate the keystream: 
Kt = T24((z1 + z^ zf + zf)/A, 0.3), where 



(10) 



T{x,p) 



x/p, < X < p, 

{l-x)/{l-p), p<x<l. 



(11) 
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FIG. 15: The return maps constructed from 10,000 samples of Kt in the enhanced key-generation process, when (a) Kt = 
max|=i(4), (b) Kt = [z] + zt + zl + 4)/4, (c) Kt = T''\{zl + ^? + + zf)/A, 0.3). 



One can see that the resulting return map becomes much 
more mixed. Although in such a way the key-generation 
process can be dramatically enhanced, the enhancement 
is caused by the fully- chaotic tent map T{x,p) with a good 
mixing feature, not by the two intermittent chaotic sys- 
tems themselves. This, for the third time, makes the use 
of intermittent chaos in cryptography questionable. 

IV. CONCLUSION 

This paper has carefully studied the security of a se- 
cure communication scheme published in 0, which is 
based on intermittent chaotic systems driven by a com- 
mon random signal. It is found that the key space of 
the studied scheme can be drastically reduced, and that 
the decryption is insensitive to the mismatch of the se- 
cret key, which means that the scheme can be easily bro- 
ken by inexpensive brute-force attacks. Furthermore, it 
has been found that the core of this secure communica- 
tion scheme - the key-generation process - is not secure 



against known/chosen-plaintext attacks: if an attacker 
can get access to a fragment of the generated keystream, 
he can easily estimate the secret key with sufficient accu- 
racy and thus break the entire cryptosystem. The secu- 
rity of an enhanced key-generation process proposed in 
has also been discussed. At present, it is still not clear 
whether or not the existence of periodic regimes in inter- 
mittent chaotic systems always brings negative influence 
on the design of secure chaotic cryptosystems. It is an 
open problem for future investigations. 
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